MnemnocH said:
How did you guys get hacked? Did they hacked your email first to circumvent steamguard? Don't you guys use authenticator for your email?
They had also hacked my email first, I've since changed the password. And I was using the sms authenticator for my email but apparently it's not very secure, and I never received an sms message regarding my email. (can be spoofed easily)
Unfortunately my wife and I had gone to town (Tuesday) to celebrate our anniversary since I had to work on the actual day of it (Wednesday). We got home at around 8:30 or so and I noticed I was logged out of Steam, and that my login no longer worked. Checked email and saw what the Tunisian bastard had done, filed a steam support ticket with everything that's asked for on Steam's site (hopefully it's resolved soon) and spent the rest of the night changing 100's of passwords. Looking back this whole week has been pretty shitty, wife and I both broke a toe Monday (her while at home and me at work pretty much within minutes of each other which was eerie to me)
oh the article I found talking about the authenticators not being too secure.
[customspoiler="long ass article here, may cause drowsiness and fatigue, do not operate heavy machinery while reading this otherwise it may lead to serious injury or death."]Banks shouldn't use text messages for two-factor authentication
Jeremy Kirk
Dec 12, 2013 6:52 AM
print
Jeremy Kirk
A widely used security feature intended to protect access to online bank accounts is becoming increasingly ineffective, as cybercriminals develop advanced malicious software for Android devices, according to a report released Wednesday.
Many banks offer their customers two-factor authentication, which involves sending an SMS message with a code that’s entered into a Web-based form. The code expires in a few minutes and is intended to thwart cybercriminals who have a person’s login credentials.
But there are now multiple mobile malware suites that work in tandem with desktop malware to defeat one-time passcodes, wrote Ken Baylor, research vice president for NSS Labs.
”Do not rely on SMS-based authentication,” the report said. “It has been thoroughly compromised.”
Nearly all mobile malware is written for the open-source Android OS, which allows users to install any application, the report said. iOS mobile malware is rare since Apple forbids downloading applications that haven’t been vetted by the company.
Cybercriminals use a one-two punch. Once a PC is compromised, the malware injects new fields or pop-up menus into the screen, asking a person’s phone number and their mobile operating system type and phone model.
A link is sent to the phone, which if clicked prompts for the installation of malware that sends one-time passcodes to another phone, allowing someone to log into a person’s bank account, the report said.
Much of the PC and mobile phone malware originates from countries that were part of the former Soviet Union. The malware developers focus on Android since it is widely used, and there appear to be few iOS specialists in those nations, the report said.
Well-known desktop banking malware programs such as SpyEye, Citadel, Zeus and Carberp all have a mobile Android component. Although Google patrols its Play store for malicious applications “a significant amount of malware escapes detection,” the report said.
Financial institutions have been slow to keep up. As mobile banking continues to grow, their applications have security weaknesses.
”Many banks still operate mobile applications that are merely HTML wrappers rather than secure native apps,” the report said.
The applications should be revised to “include a combinations of hardened browsers, certificate-based identification, unique install keys, in-app encryption, geolocation and device fingerprinting,” it added.
[/customspoiler]
PKB Mac said:
That's rough, man. I'm sorry to hear about this. Out of curiosity, did you purchase from Bundle Bandits, log in details there, or simply visit? I'm wondering how paranoid I should be. Thanks for warning us all. I hope you're able to get it sorted.
didn't purchase but was on their damn mailing list (it was dumb of me not knowing if it was legit or not) also helped that the only game I wanted in that bundle was on indiegamestand the next day, puddle .
Miranda said:
Wow. I definitely need to pay more attention now on anything that asks for my Steam login. That's pretty crazy, especially that the Steamrep got hacked.
I hope you, sunasun, and anyone else who had their account hacked are able to get them back.
You were on my friend list, but I didn't get any phishing messages from you like the one Dan posted earlier.
I'm starting to think they were after my son's team fortress 2 items, he's always ignoring messages and invites, maybe someone got pissed that he wouldn't trade with them.
incoming soon Sunasun code drop
Stay tuned for details